Turn Openscap OVAL report into Puppet facts

June 09, 2017 by Konstantin Ryabitsev

I wanted to have a quick way to find out which systems had a particular
set of outstanding errata. There are actually quite a few solutions that
will do that for you, but I wanted a free/libre way of doing it that
would integrate with our existing open-source Puppet (we don't use PE)
and would be easy to query via mcollective orchestration.

Red Hat dutifully publishes an Openscap OVAL file for RHEL, but we
needed a solution that worked both for RHEL and CentOS (not because
we're cheapskates, but because we use Cloud providers that do not offer
a RHEL option and we need to track errata on those systems, too).

After a bit of effort, I had a small wrapper script around openscap that
would translate the report results into Puppet facts: